Conference on the incident response & digital investigation 2017 (CoRI & IN) January 24, 2017

On the eve of the FIC 2017, the CECyF held in Lille on 24 January 2017 in Euratechnologies premises, its third conference dedicated to incident response and digital investigative techniques.

This day allowed participants to attend conferences that were very interesting and varied. We offer here a summary of one of them.

Darkode: Analysis of the relational structure about a hacker’s elite group

By Benoît Dupont (University of Montreal)

https://www.cecyf.fr/wp-content/uploads/2016/08/2017-OK-1-Benoit-DUPONT.pdf

The speaker presented the results of the study of a hacker forum, said "bad", under the name of "Darkode". It was created to bring together elite programmers, to sell products and services. It brought together about 500 best English-speaking hackers. This forum was finally dismantled in July 2015 and resulted in 70 searches in 20 countries. It was considered as one of the most dangerous by the FBI, between 2007 and 2015.

Most hacker forums are on invitation only, with reputation scores on the members. But we can see that, more members there are in the forum, more evaluations of members are weak, and that 1/3 of the assessments is not reliable. To eliminate these "noises", the “Private Club” model as can be found for "Darkode" offers a system of election to allow new members.

It’s through the publication by a hacker named Xylitol, which has made public the contents of the forum from 2009 to 2013, and published about 5000 screenshots, that this study could be carried out.

A first part on "How to subscribe on the Forum" shows in details (thanks to almost 500 screenshots), the importance of a good resume with different criteria (skills in coding, reverse, SQL,...). There are statistics on the skills of members, products and services, as well as the distribution of the best sponsors who accept nominations.

The second part of the study was the analysis of the Forum structure (link between members). This structure was not very dense and we can found in the center five key people. We also see that in this organization many big players have not been arrested (may be moles).

The third and final part of the study was to understand the market. In the United States, court fines are based on a theoretical market value. For example, for a person who sells credit card numbers, the fine is calculated on the basis of a $ 500 by unit. But the reality of the prices is quite different. Indeed according to the negotiations in the forums, the original sales prices are around $ 0.15, to finish at a purchase price of $ 0.02 per unit! It is sometimes difficult to do business, because the scams are often present on this type of forum. Over a period of 4 years more than 150 complaints have been registered.

The presentation is available here.